Example 5—Unprotected Flexible Inline, Inline Tool Group

Example 5 adds an inline tool group to Example 4. It has the same two inline networks and five inline tools, but now the third, fourth, and fifth tools (t1112, t1314, and t1516) are in an inline tool group. The maps have been modified to direct traffic to the inline tool group.

For example, the inline tools can be Web Application Firewall (WAF), Intrusion Prevention System (IPS), while the Advanced Persistent Threat (APT) is the inline tool group.

The inline tool aliases are t0708 to t1516, based on ports x7 to x16. The inline tool group alias is ITG1.

Use the following steps to configure Example 5:

Step

Description

Command
1.    

Configure inline network ports, port type (inline-network), and administratively enable inline network ports.

(config) # port 1/3/x1..x4 type inline-network
(config) # port 1/3/x1..x4 params admin enable
2.  

Configure inline networks.

(config) # inline-network alias n0102 pair net-a 1/3/x1 and net-b 1/3/x2

(config) # inline-network alias n0304 pair net-a 1/3/x3 and net-b 1/3/x4
3.  

Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x7..x16 type inline-tool
(config) # port 1/3/x7..x16 params admin enable
4.  

Configure inline tools, specify that the inline tool is going to be shared by different sources, and enable them.

(config) # inline-tool alias t0708 pair tool-a 1/3/x7 and tool-b 1/3/x8
(config) # inline-tool alias t0708 shared true
(config) # inline-tool alias t0708 enable

(config) # inline-tool alias t0910 pair tool-a 1/3/x9 and tool-b 1/3/x10
(config) # inline-tool alias t0910 shared true
(config) # inline-tool alias t0910 enable

(config) # inline-tool alias t1112 pair tool-a 1/3/x11 and tool-b 1/3/x12
(config) # inline-tool alias t1112 shared true
(config) # inline-tool alias t1112 enable

(config) # inline-tool alias t1314 pair tool-a 1/3/x13 and tool-b 1/3/x14
(config) # inline-tool alias t1314 shared true
(config) # inline-tool alias t1314 enable

(config) # inline-tool alias t1516 pair tool-a 1/3/x15 and tool-b 1/3/x16
(config) # inline-tool alias t1516 shared true
(config) # inline-tool alias t1516 enable
5.  

Configure inline tool group and parameters. Enable it and then configure failover action.

(config) # inline-tool-group alias ITG1
(config inline-tool-group alias ITG1) # tool-list t1112,t1314,t1516
(config inline-tool-group alias ITG1) # hash advanced
(config inline-tool-group alias ITG1) # enable
(config inline-tool-group alias ITG1) # failover-action tool-bypass
(config inline-tool-group alias ITG1) # exit
6.  

Configure maps from inline networks to inline tools in both directions, add user-defined tags, and enable maps.

For the rule-based map, configure a rule (one rule only) to direct traffic to the tools. The rule can be based on any map rule criteria such as TCP port, IP subnet, or VLAN.

Note:  The tag is optional. The default is auto, which automatically assigns tags.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline collector
(config map alias FLEX1) # from n0102
(config map alias FLEX1) # a-to-b t0708,t0910,ITG1
(config map alias FLEX1) # b-to-a reverse
(config map alias FLEX1) # tag 100
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

(config) # map alias FLEX2
(config map alias FLEX2) # type flexInline collector
(config map alias FLEX2) # from n0304
(config map alias FLEX2) # a-to-b t0708,ITG1
(config map alias FLEX2) # b-to-a reverse
(config map alias FLEX2) # tag 200
(config map alias FLEX2) # enable
(config map alias FLEX2) # exit
(config) #

(config) # map alias FLEX3
(config map alias FLEX3) # type flexInline byRule
(config map alias FLEX3) # from n0102
(config map alias FLEX3) # a-to-b ITG1
(config map alias FLEX3) # b-to-a reverse
(config map alias FLEX3) # rule add pass ipver 4
(config map alias FLEX3) # tag 300
(config map alias FLEX3) # enable
(config map alias FLEX3) # exit
(config) #
7.  

Configure the path of the traffic to inline tools.

(config) # inline-network alias n0102 traffic-path to-inline-tool

(config) # inline-network alias n0304 traffic-path to-inline-tool